Security and Compliance
A Legacy of Trust
Quick Base was a division of Intuit, a global leader in financial and business solutions, from 1999 until its divestiture in 2016. Today, Quick Base is building on a long legacy of trust to continue to meet higher levels of security and compliance.
- Embedding best practices into everything we do, in every part of our company
- Alignment of our processes and controls with industry standards
- Being transparent with our customers and continuing to learn from them
The security and confidentiality of our customers’ apps and data on the Quick Base platform is a shared responsibility between Quick Base and our customers. Quick Base provides a secure platform where customers can build and manage their apps. Additionally, Quick Base provides tools, support and resources that enable our customers to maintain secure apps.
Customers have numerous responsibilities around the security of Quick Base apps and data held within them. Customers must understand what data they intend to collect and store in their Quick Base apps, and ensure that risk and compliance requirements are addressed which correlate to the importance and classification of that data. Customers must ensure that security is addressed in the development of Quick Base apps, including ensuring that apps are shared with only those who are authorized to access them.
Quick Base’s Compliance & Information Security Officer (CISO), part of the Executive Management team, sets the vision and strategy for the company’s security and compliance program, with the goal of providing strategic direction, ascertaining that risks are managed appropriately and ensuring that objectives are achieved.
Quick Base’s Security Council is composed of leadership from Product Development, Operations and Corporate IT and is responsible for aligning corporate, development and infrastructure controls with best practices as set by the CISO in conjunction with Quick Base business and compliance objectives.
Background Checks and Security Training
All Quick Base staff undergo background checks before they’re hired. All Quick Base staff are also required to take mandatory security, ethics and privacy training once they join Quick Base and on an ongoing basis during their employment with Quick Base.
Security in Software Development
Quick Base integrates security testing into each phase of the development lifecycle —from static code security checks, to dynamic web scans which run continuously, to annual penetration tests by security experts. We train our development team on security best practices.
Quick Base is a shared application Platform as a Service (aPaaS) with logical access segregating each customer’s data. Quick Base controls logical access to data via authentication and authorization at the Realm, Account and Application layers. Realms, otherwise thought of as a domain, hold customer Accounts. Within accounts are Quick Base Applications which are managed by Quick Base customers. Quick Base customers can manage access and permissions at the Realm, Account and App layers via the Quick Base platform.
Quick Base encrypts customer data in motion and at rest. All communications over non-trusted Internet networks are encrypted via a 256 bit (SHA2) TLS certificate, TLS 1.0, 1.1, 1.2. Quick Base encrypts data at rest at the application layer including app data and file attachments using AES256. Quick Base is disabling support for TLS 1.0 in April 2018.
Operations and Monitoring
Quick Base’s operations team employs automated incident detection, escalation technologies and procedures which ensure that any infrastructure or platform issue is rapidly addressed, 24x7x365. Customers may view status updates at https://service.quickbase.com/
Quick Base data is continuously replicated from the production to the Disaster Recovery data center. In each data center, Quick Base data is backed up via a daily snapshot from online storage to alternate online storage within the same data center. Quick Base maintains 14 daily snapshots and 7 months of weekly snapshots. This same procedure is done in the disaster recovery data center. The backup data is encrypted by virtue of the fact that the data is encrypted at the application layer. Quick Base does not use backup tapes or off site storage.
Role Based Access
A small team of operations personnel have administrative access to the infrastructure which hosts Quick Base. At the application layer, Quick Base staff do not have access to customer Quick Base apps unless they are invited or authorized by the customer. Additionally, Quick Base developers occasionally require read/only access to systems which hold metadata, scripts and app schema in order to troubleshoot.
Customers are responsible for understanding and implementing their data retention and deletion requirements for the data they upload to Quick Base. Customers may delete data at any time and since Quick Base maintains backups for 6 months, it may take up to 6 months for their data to be completely purged from our backup systems once it has been deleted from their apps.
Secure Hosting Facilities
The Quick Base platform is hosted at Tier 4 ViaWest data centers located in Las Vegas, NV and Denver, CO. ViaWest has spent nearly two decades building world class data centers with the sole purpose of providing best-in-class colocation and network services designed to meet the most demanding IT requirements.
Additionally Quick Base utilizes Amazon AWS for ancillary services such as WebHooks and Quick Base Sync.
Each component of the infrastructure which powers Quick Base — from network equipment to web, app and database servers—is highly available and redundant.
Quick Base maintains 2 geographically diverse production-ready data centers; data is replicated from the production data center to the hot standby disaster recovery (DR) data center with up to a 15 minute delay, i.e., a recovery point objective (RPO) of 15 minutes. Upon a disaster being declared at the production site, Quick Base requires two (2) hours to bring up production at the DR site, i.e., a recovery time objective (RTO) of 2 hours.
Security Incident Response
Quick Base commits to notifying affected customers of any suspected or confirmed data breach (once we become aware of) within 24 hours. We will notify customers via e-mail or phone.
Quick Base conducts annual attestations for several compliance standards and regulations including SOC 1/2/3, HIPAA and DFARS.
SOC 1/ SOC 2
Quick Base undergoes an annual SSAE16 SOC 1/ SOC 2 Type 2 examination covering Security and Availability Trust Services Principles defined by the AICPA Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy. Quick Base began including SOC 1 audit in 2017. Please note customer app and realm controls are not part of the scope of Quick Base's SOC reports; therefore customers may want to include these pertinent Quick Base controls in their respective SOC examination.
Quick Base's SOC reports are issued in July annually and is available to customers or prospective customers under NDA.
The Health Insurance Portability and Accountability Act (“HIPAA”) is a United States law that applies to companies and other entities involved in the healthcare industry that may have access to patient information (called “Protected Health Information”, or “PHI”).
Quick Base abides by the HIPAA Security and Privacy rules in our operation of the Quick Base platform. Quick Base performs an annual HIPAA Attestation as part of our annual SOC examinations conducted by a 3rd party audit firm which validates Quick Base controls meet or exceed the requirements.
Quick Base enables its customers to build HIPAA-compliant applications. Quick Base's Customers are responsible for determining if they are a Covered Entity or Business Associate under HIPAA (and whether a business associate agreement with Quick Base is required) and for ensuring that it uses Quick Base in compliance with HIPAA. Customers who store or process Protected Health Information must sign a business associate agreement with Quick Base. Quick Base will sign BAAs with our customers on annual or multi-year contracts.
Quick Base utilizes a PCI compliant vendor to process credit cards for our customers. However, the Quick Base platform itself has not undergone a PCI audit, therefore credit card data should not be stored in Quick Base apps.
DFARS / NIST 800-171
NIST Special Publication 800-171 Protecting Covered Defense Information in Nonfederal Systems and Organizations, otherwise known as DFARS (Defense Federal Acquisition Regulation Supplement), details the fourteen families of security requirements for protecting the confidentiality of Covered Defense Information (CDI). Quick Base hired an independent audit firm to validate Quick Base's compliance with the requirements of DFARS and has issued a report attesting to our compliance in December 2017.
Electronic discovery refers to discovery in legal proceedings such as litigation where the information sought is in electronic format. Quick Base supports key requirements of e-Discovery:
Preservation of Evidence
Upon legal hold being placed on customer data held within Quick Base apps, the customer may instruct personnel to preserve (not delete) apps and data. Additionally, the customer may choose to make copies of existing apps in order to preserve the data at that point in time. Lastly Quick Base maintains backup copies of customer apps and data. Customers may request apps to be restored via customer support.
Identification of Data
Quick Base provides the ability to search apps, however it is important to note that fields must be marked as searchable by the app owner. File attachments may also be searched; however they must be downloaded and searched locally.
Customers own their data which they have uploaded and stored within Quick Base.
Quick Base abides by privacy laws and regulations that are applicable to our hosting services and to our customers who host websites that may contain personal information on the Quick Base platform. Quick Base personnel may have logical access to customer data stored in Quick Base apps only if they are authorized, and have a need for access due to their job function. Quick Base does not transfer customer data hosted on Quick Base outside of the Quick Base hosted service, or to any third-party, without customer authorization.
Customers must ensure that privacy concerns and regulations are addressed and adhered to where customer personnel may have logical access to personal information uploaded or stored in the customer’s Quick Base apps.
International Association of Privacy Professionals (IAPP) - Member since 2018
Quick Base is an IAPP corporate member. The IAPP is the largest and most comprehensive global information privacy community and resource. Founded in 2000, the IAPP is a not-for- profit organization that helps define, support and improve the privacy profession globally. For more information, go to the IAPP website: iapp.org
EU Data Protection Regulations
Quick Base is hosted in the United States and serves customers globally. There are several mechanisms to ensure that data transfers from the EU to the U.S. provide the legal protections required by EU Data Protection Regulations, including Privacy Shield (a replacement to Safe Harbor), EU Model Contract clauses and end user consent.
The EU-U.S. Privacy Shield Framework was designed by the U.S. Department of Commerce and European Commission to provide companies on both sides of the Atlantic with a mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States in support of transatlantic commerce, and replaces the Safe Harbor program. Quick Base's certification under the Privacy Shield program may be viewed at the Privacy Shield site https://www.privacyshield.gov/...
EU Model Clauses
The EU Model Clause is a standard contract addendum between service providers such as Quick Base and its customers, designed to ensure that any personal data leaving the EEA will be transferred in compliance with EU data- protection law and meets the requirements of the EU Data Protection Directive 95/46/EC. Quick Base offers customers on annual contracts Standard Contractual Clauses that make specific guarantees around transfers of personal data for Quick Base services. This ensures that Quick Base customers can freely move data through Quick Base from the EU.
On May 25, 2018, a new landmark privacy law called the General Data Protection Regulation (GDPR) takes effect in the European Union (EU). The GDPR expands the privacy rights of EU individuals and places new obligations on service providers like Quick Base which store and process EU personal data.
Quick Base views GDPR as an opportunity to deepen our commitment to privacy and data protection best practices. Similar to existing legal requirements, compliance with the GDPR requires a partnership between Quick Base and our customers in their use of our platform. Quick Base will comply with the GDPR in the delivery of our service to our customers and we are also dedicated to helping our customers comply with the GDPR. We have closely analyzed the requirements of the GDPR and are working to make enhancements to our products, contracts, and documentation to help support Quick Base’s and our customers’ compliance with the GDPR. In addition to ensuring our own compliance with the provision of GDPR by the required date, we will be releasing an updated data processing addendum that contains additional provisions to assist our customers with their compliance with the GDPR.
Quick Base utilizes subprocessors for the provisioning of our Services to you as described in our agreements on https://www.quickbase.com/terms-of-service. For a list of our sub-processors please see https://www.quickbase.com/data...
Quick Base complies with U.S. regulations related to embargoed countries and regions. As such, Quick Base currently prohibits the unauthorized usage of its products and services in Cuba, Iran, North Korea, Sudan and Syria. Because this list of countries and regions may change from time to time, customers and their users are urged to consult the relevant regulations, including the U.S. Export Administration Regulations.
Quick Base products and services may not be exported to, re-exported to, transferred to, or used by any restricted person or entity, including those listed on the U.S. Treasury Department's list of Specially Designated Nationals, the U.S. Department of Commerce Denied Person's List or Entity List, the State Department's Debarred list, or similar denied parties list without prior authorization by the U.S. Government.
For more information and for further assistance in determining your individual licensing requirements, contact the Department of Commerce, Bureau of Industry and Security (http://www.bis.doc.gov/) or Office of Foreign Assets Control (http://www.treasury.gov).
Quick Base products and services may not be exported, re-exported, or transferred if for use directly or indirectly in any prohibited activity described in Part 744 of the U.S. Export Administration Regulations, including certain nuclear, chemical or biological weapons, rocket systems or unmanned air vehicle end-uses.
To make the interface accessible to users with disabilities, Quick Base includes features that support several specifications in the Web Content Accessibility Guidelines (WCAG) 2.0.
The Voluntary Product Accessibility Template (VPAT) is a standardized form developed in partnership by the Information Technology Industry Council (ITI) and the U.S. General Services Administration (GSA) to document a product’s conformance with key regulations of Section 508 of the Rehabilitation Act. Quick Base has completed an accessibility assessment of the Quick Base platform and has documented their accessibility status using these VPATs. Quick Base's VPAT can be downloaded here.
Find a Security Issue?
Please visit our Responsible Disclosure page here.